AFM DORA Review: ICT Risk Gaps at Trading Venues
The Dutch Authority for the Financial Markets (AFM) has published findings from a thematic review into how trading venues are implementing the Digital Operational Resilience Act (DORA). The headline: foundational work is in place, but significant gaps remain across security monitoring, access management, logging, emergency change procedures, and continuity management. The AFM has made clear it will intervene where firms fall short of statutory requirements, and that its supervisory focus is shifting from paper policies to demonstrated operational practice.
What DORA Requires and Why Trading Venues Are in Scope
DORA became fully applicable across the EU in January 2025. It establishes binding requirements for ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk oversight. Trading venues, specifically regulated markets, multilateral trading facilities (MTFs), and organised trading facilities (OTFs), sit squarely within its scope. ICT outages, cyber incidents, and system failures at these venues carry direct potential to undermine market integrity and investor confidence, which is precisely why the AFM chose them as the subject of this review.
The AFM's Supervisory Posture
The regulator has signalled a meaningful shift in how it conducts oversight. Rather than assessing whether a firm has a written policy, the AFM now evaluates whether controls are actually working and whether they genuinely contribute to digital operational resilience. Firms that are only partially compliant with DORA's legal requirements can expect regulatory intervention.
Key Findings from the Thematic Review
The AFM's review identified a consistent pattern: the broad architecture of an ICT risk framework is usually present, but the depth, specificity, and governance around it are often inadequate. Below are the specific areas the regulator called out.
Gap Analyses Are Too High-Level
Most trading venues in the review had conducted gap analyses against DORA requirements. The problem is that these assessments were frequently too broad. When the gap analysis operates at a high level of abstraction, relevant DORA obligations can fall through the cracks, and deficiencies only become visible later, at which point remediation is more costly and more difficult. The AFM recommends that firms conduct more granular, periodic gap assessments rather than a one-time high-level exercise.
Specific ICT Control Weaknesses
Several components of the ICT management framework were identified as needing improvement. The areas the AFM highlighted are not peripheral; they sit at the core of what cyber resilience actually means in practice:
- Security monitoring: Controls for detecting and responding to threats in real time require strengthening.
- Access management: Governance over who can access which systems, and under what conditions, is inconsistent with DORA's expectations.
- Logging: Audit trail completeness and integrity need attention; logs are a foundational tool for both incident response and regulatory inspection.
- Emergency change procedures: The processes governing urgent or unplanned changes to ICT systems lack the rigour DORA demands.
- Continuity management: Business continuity and disaster recovery arrangements do not consistently meet the required standard.
Policy and Procedure Distinction Is Blurred
The AFM found that firms are not always drawing a clear distinction between policies and procedures. This matters because DORA specifies that certain requirements must be embedded at the policy level, which carries implications for governance and formal board-level approval. When policies and procedures are conflated in documentation, it becomes difficult to demonstrate that the regulatory requirement has been formally adopted. Clear governance structures and documented board approval are, in the AFM's view, essential to evidencing compliance.
Group-Level ICT Policy Gaps
Where trading venues operate as part of a larger group and consume ICT services from within that group, the review found that DORA requirements are not consistently embedded in group-level policy and documentation. The AFM's recommendation is that institutions establish DORA-aligned policy frameworks at the group level, which then cascade consistently to entity level. Without that, individual entities may believe they are covered by group arrangements when gaps actually exist.
What Firms Should Do Now
The AFM has explicitly called on trading venues to consider and, where applicable, act on the findings and recommendations from this review in their ongoing DORA implementation. For compliance officers, CFOs, and auditors at or advising trading venues, the practical takeaways are concrete.
Reassess the Gap Analysis
If your DORA gap analysis was conducted at a high level or as a one-time exercise, it needs revisiting. Map each DORA article and implementing technical standard to a specific control, owner, and evidence artefact. Build a periodic review cadence into the compliance calendar rather than treating the gap analysis as a completed item.
Test Controls, Not Just Documentation
Given the AFM's stated shift toward assessing whether measures actually work, firms should move beyond policy reviews into operational testing. Security monitoring alerts, access provisioning and deprovisioning workflows, log integrity checks, and continuity failover tests should all be subject to documented testing with outcomes recorded.
Resolve the Policy-Procedure Distinction
Review your documentation taxonomy. Identify which DORA obligations explicitly require a policy-level instrument and ensure those documents exist, are clearly labelled as policies, and carry formal board or senior management approval. Cross-referencing procedures to the relevant policy also makes supervision and internal audit significantly more straightforward.
Align Group ICT Frameworks
If your entity relies on group ICT services, work with your group compliance and technology teams to ensure DORA requirements are explicitly addressed in group-level policies. A gap at the group level cannot be papered over at entity level; the regulator will look at both.
Firms handling crypto-asset transactions alongside traditional instruments should ensure their crypto compliance reporting infrastructure is subject to the same DORA-aligned ICT risk controls. Crypto accounting software and digital asset accounting software used in operations or reporting chains are ICT tools within scope of the firm's broader ICT risk framework; their resilience, access controls, and logging capabilities are therefore relevant to DORA assessments. The quality of data flowing through those systems also has direct implications for regulatory reporting accuracy.
For context on how DORA's incident reporting requirements play out in practice across the EU, the earlier analysis of DORA ICT incident reporting obligations for EU firms covers the first annual ESA incident report in detail. Firms operating in the Netherlands specifically should also be aware of AFM Distance Marketing Financial Services Directive requirements for crypto providers, which sit alongside DORA in the AFM's current supervisory priorities.
FAQs
Which entities does this AFM review directly concern?
The review focused on trading venues operating under Dutch AFM supervision: regulated markets, multilateral trading facilities, and organised trading facilities. However, the findings reflect common implementation challenges across the sector, and other financial entities subject to DORA should treat the AFM's recommendations as indicative of the supervisory standard being applied more broadly.
DORA has applied since January 2025. Does this review suggest firms are materially non-compliant?
The AFM's language is measured. It acknowledges that the basic framework is generally in place. The concern is that compliance is not yet complete or durable, and that certain control areas have meaningful weaknesses. The regulator has confirmed it will intervene where statutory requirements are not met, so the gaps identified are not merely advisory.
What does the AFM mean by distinguishing policy from procedure?
DORA's text, along with associated implementing technical standards from ESMA and the other ESAs, specifies that certain requirements must be addressed at the policy level. Policies carry formal governance weight, including board or senior management approval. Procedures describe how a policy is executed. Conflating the two can mean a DORA-required policy item exists only as an operational procedure, which may not satisfy the governance requirement the regulation intends.
How does this apply to firms that use group ICT services?
The AFM found that intra-group ICT service arrangements are a specific risk area. Entities that rely on group-provided ICT infrastructure need to ensure DORA obligations are explicitly addressed in group-level governance documents, not assumed to be handled by the group entity. Regulators assess compliance at the individual entity level regardless of group structure.
Will the AFM conduct follow-up supervisory action based on this review?
The AFM has stated clearly that it monitors compliance with DORA requirements on an ongoing basis and that its reviews examine operational reality, not just documented policies. It has also confirmed that firms that do not fully meet legal requirements will face regulatory intervention. The thematic review is therefore a compliance roadmap as much as a retrospective assessment.
